Your hard drive will self-destruct at 2pm: Inside the South Korean cyberattack

But the defacement of a website during the attack may be a separate problem.

A cyberattack in South Korea on Wednesday took the networks of several companies offline. While some recovered in a matter of hours, South Korea's public broadcasting organization, KBS, is still offline. But the identity of the person or group behind the attacks is still an open question—one muddied by the hackers who are taking credit for at least part of it. It's not clear at this point if the attack was state-sponsored, cyberwarfare by North Korea, or simply an act of cyberterrorism by hackers looking to make a virtual name for themselves.

As we reported earlier, at about 2pm Seoul time, the networks of three broadcasters and three banks were affected by an attack that disrupted their networks, possibly caused by malware. But while malware was initially blamed for the outage, the malware that's been discovered thus far could not have taken networks down by itself. There was a lot more going on than just a malware attack; the convergence of multiple types of attacks suggests a coordinated effort by an organized attacker.

The latest update from South Korean officials is that the attack emanated from a Chinese IP address. But the identity of the attackers is still unclear.

The “wiper”

The malware portion of the cyberattack that has been uncovered thus far by investigators was a "wiper"—a strain of a Windows trojan that was identified by Sophos as malware it had discovered over a year ago—similar in behavior to part of the Shamoon virus that attacked energy companies in the Middle East last summer. But other than its function, the malware used in the South Korea attacks bears no resemblance to Shamoon or other viruses that have been used in "cyberwar" attacks.

In an interview with Ars Technica, Director of Operations for Symantec Security Response Liam O'Murchu said that the malware, which his company identifies as Trojan.Jokra, showed no signs of being anything remarkable. "Nothing stands out about it," he said. The "dropper" portion of the attack—the malware that installed the "wiper" component—is still being analyzed; security firms haven't yet determined how it was distributed.

When activated, the malware first kills processes associated with antivirus and security software. Then it inventories all the drives connected to a system and, starting with the primary drive, begins overwriting the Master Boot Record (MBR) on the disk. Then it does the same to any other drives attached or network-mapped to the computer, O'Murchu said. It "also looks to see if you have any drives connected that aren't mapped to a drive letter." The malware then attempts to do the same to the unmapped drives, forcing the computer to reboot by executing a command-line shutdown. Once the computer reboots, it's unusable without the disk being reformatted and restored.

But not all of the variants of the malware found by researchers act the same. FireEye Senior Researcher Zheng Bu said that in his observations and in those of his colleague, researcher Vinay Pidathala, the malware did not seem to express any network drive attack behaviors. "We can confirm only the MBR part," he said. Additionally, Zheng said that they had one variant that used a clock call API to check the time—waiting for 2pm on March 20 to trigger—while other samples collected lacked the code.

One thing all of the variants had in common was what they used to overwrite the data in the MBR record: the words "PRINCIPES" (which Pidathala pointed out is a Latin word for Roman heavy infantry) and "HASTATI" (a word for Roman light infantry). And the code of the malware, Zheng said, was rather simple. "Malware is usually modularized," he said. "This one is rather simple. It does what it does."

Zheng added that this attack is a "deviation from the current trend" in advanced persistent threat (APT) attacks, which tend to be focused on information stealing rather than destruction. "To be honest, it's been quite a while since we've observed a disruptive malware like this," he said.

But for all its disruption, the "wiper" malware has little if anything to do with the network disruptions that were experienced at about the same time as the virus triggered.

The dropper

The script in the dropper looks specifically for mRemote, an open-source remote connection manager for Windows that keeps profiles for saved connections in an XML file and then searches for configurations for SSH connections to Linux machines with root privileges. If it finds one, it opens the connection with the stored privileges and executes a script that uploads and executes drive-wiping bash batch commands for Linux, Solaris, AIS, or HP-UX. On Linux, the commands delete the /kernel, /usr, /etc, and /home directories.

The defacement

At about the same time as the "wiper" malware was triggered, at least one website of Korean network provider LG U+ was defaced. According to a Reuters report, an LG U+ spokesperson said that the company believed its network had been hacked.

The defacement, an animated webpage complete with audio of maniacal laughter, included "leet-speak" signatures for the hackers in the code. Identifying themselves as "Whois Team," the hackers made no reference to political goals but posted a typical defacement hack manifesto. "We have an Interest in Hacking," the page declared. "This is the Beginning of Our Movement. User Accounts and All Data are in Our Hands. Unfortunately, We have deleted Your Data. We'll be back Soon."

A video capture of the LG site defacement.

Some reported that when the "wiper" malware struck workstations, it showed the same message. But none of the security researchers who spoke with Ars were able to reproduce that in their tests. The defacement, then, appears to have been a separate act—it's impossible to say whether those hacking the site just happened to have incredibly bad timing or if they were involved in the larger cyberattack.

The network outages

Just as the clock struck 2pm Seoul time and triggered the "wiper" malware, the networks of the targeted organizations started going down. Nearly all of the targeted companies used LG U+ as a network provider, so it's possible that hackers could have sent Border Gateway Protocol commands or done other things with network configurations that disrupted the networks of the targeted companies. But it's unlikely that that alone would have taken out the networks of the four companies who were reported "offline" by Internet monitoring company Renesys.

Renesys Senior Analyst Doug Madory posted an analysis that showed that about thirty minutes after the broadcasters' networks went down, the network of Korea Gas Corporation also suffered a roughly two-hour outage, as all 10 of its routed networks apparently went offline. Three of Shinhan Bank's networks dropped offline as well. In a phone conversation with Ars, Madory said, "Korea Gas had two paths out, so it should have been able to fail over. It leads you to believe there was something wrong at their data center."

Still, there's evidence of the impact of something in LG U+'s routing data. The company, which was previously known as LG Datacom, had what Madory called "a small drop in routes. They have 136 network prefixes, and went down [during the attack] to 116, so about 20 networks were dropped."

The Unix attacks in the dropper malware are novel for Windows security threats, but they were dependent on a specific piece of no-longer-supported connection software—so unless it was known that the target companies ran that software on desktops connected to fairly vanilla-configured Unix systems, it's unlikely the attack did much damage.

It's possible that the network outages were caused by the companies themselves as a reaction to the malware, in an effort to stop what may have looked like an active attack. But the "wiper" malware and its installer could have been sitting on desktops for months before they were triggered. Until there's more evidence of how they were introduced onto targeted PCs, there's not much to go on to attribute the attack.

As for the Whois Team, it's not clear they're involved in the larger attack. They could have simply found one vulnerable Web application and left their mark, either out of circumstance or as a move to take credit for an even bigger coup.